Use sessions in laravel APIs
Stefan Bogdanescu
Founder & Senior Architect · 2026-06-29
# The Stateless Dilemma: Using Sessions in Laravel APIs for Two-Factor Authentication
As a senior developer working with Laravel, we often build robust applications that handle complex authentication flows. One common pattern involves implementing Two-Factor Authentication (2FA) via SMS verification. The provided workflow demonstrates an attempt to use Laravel's `Session` mechanism to pass temporary data (tokens and SMS codes) between API calls. However, as you correctly pointed out, relying on sessions in a pure API context introduces significant architectural challenges.
This post will explore why sessions are problematic for stateless APIs and demonstrate the modern, robust alternative using token-based authentication, aligning with best practices in Laravel development.
## Why Sessions Fail in Stateless APIs
Laravel sessions are fundamentally designed to manage state tied to a specific user's browser session. They rely on server-side storage (files or database) linked to a session ID stored in a cookie. When building a pure API—where requests are typically handled independently without persistent browser context—relying on `Session::get()` and `Session::push()` breaks the stateless nature of the request/response cycle.
APIs thrive on being **stateless**: every request should contain all the necessary information to process it, and the server should not need to remember the context of previous requests unless explicitly provided. Using sessions forces you to manage state outside the request payload, leading to coupling issues and potential security vulnerabilities if not implemented perfectly across multiple endpoints.
## The Stateless Solution: Token-Based Authorization
Instead of relying on sessions for temporary data transfer in an API flow, the industry standard—and the most secure approach—is to use tokens. JSON Web Tokens (JWTs) or Laravel Sanctum tokens are specifically designed to carry necessary authorization and user context directly within the request itself. This keeps your API stateless and scalable.
For a 2FA verification workflow, we can refactor the provided example to store the necessary temporary data (the token and the SMS code expectation) in a secure, ephemeral location that is tied to the user ID, ideally stored in the database or a dedicated cache, rather than the session mechanism.
### Refactoring the SMS Verification Flow
Here is how we can adapt your workflow to be truly stateless, focusing on managing the state via a dedicated storage mechanism instead of sessions:
**Step 1: Login and Token Generation (Stateless)**
When a user successfully logs in and requires 2FA, you generate a unique, short-lived token. This token is stored in your database (or cache) linked to the user ID, along with the required verification state.
**Step 2: Sending the SMS (External Service)**
The system triggers the SMS delivery via an external service. The generated token must be securely associated with the user